In recent years network intrusion detection has become an important area for both commercial interests as well as academic research. Applications of network intrusion detection typically stem from the perspectives of network monitoring and network security. For network monitoring, characteristics such as flows which use a link with a given capacity, flow size distributions, and the number of distinct flows are of interest. In network security, attention is paid to characterizing known or unknown anomalous patterns of an attack or a virus.
Network Intrusion Detection Systems (NIDS) work by detecting malicious activity such as denial of service attacks, port scans or attempts to crack into computers. A NIDS reads all of the incoming packets and tries to find suspicious patterns known as signatures or rules.
Network Behavior Anomaly Detection (NBAD) Systems work by continuously monitoring the network for unusual events or trends. NBAD programs track critical network characteristics in real time and generate an alarm if an unusual event or trend is detected that could indicate the presence of a threat. Large-scale examples of such characteristics include traffic volume, bandwidth use and protocol use. In order for NBAD to be optimally effective, a baseline of normal network or user behavior must be established over a period of time. Once certain parameters have been defined as normal, any departure from one or more of them is flagged as anomalous.
Unfortunately the use of IPsec (Internet Protocol Security), which encrypts network traffic, renders network intrusion detection virtually useless unless traffic is decrypted at network gateways. One alternative to NIDSs are host-based intrusion detection systems (HIDSs) which provide some of the functionality of NIDSs but with limitations. HIDSs cannot perform a network-wide analysis and can be subverted if a host is compromised.
Many present day networks, including the Navy network, are moving towards the encryption of all traffic. For instance, a large portion of the Navy network is Type-1 encrypted. Currently available market/commercial products do not address a fully cyphertext network. They work by blocking application layer exploits, detecting HTTP specific attacks, employing deep packet inspection technologies and characterizing unencrypted flows.
Presently there are no industry/government solutions available to address the problem of cyber attack detection within fully encrypted network traffic where the problem is compounded by the scarcity of available parameters.
Industry also faces a problem when it comes to cloud computing and processing of encrypted packets. Their solution is Homomorphic Encryption, where a specific algebraic operation performed on the plaintext side is equivalent to another (possibly different) algebraic operation performed on the cyphertext side. Unfortunately Homomorphic Encryption does not address detection of cyber attacks on the cyphertext side of the network.